Sophos Cloud Optix
Facebook shops for passwords sold on the online black market, buying up credentials from crooks to sniff out which ones its users are reusing, Chief Security Officer Alex Stamos said at the Web Summit in Lisbon on Wednesday.
CNET quoted Stamos:
The reuse of passwords is the No. 1 cause of harm on the internet.
Facebook is reportedly cross-referencing the passwords against users’ password hashes to see if they hit a match. Stamos said the work is “computationally heavy” but that it’s resulted in Facebook alerting tens of millions of users to beef up their passwords.
We already knew that Facebook checks user credentials against caches of stolen logins posted online.
That came to light after the 2013 Adobe breach, when Facebook’s security team was mining the leaked data to find users who committed the egregious security sin of using the same password to login to both Facebook and Adobe.
Once it found matches, Facebook locked the users in a closet, tucking the accounts out of the public eye until the account owners had changed their passwords.
At the time, many people wondered how Facebook was able to find password reusers without storing their passwords in clear text or some other unencrypted, or poorly encrypted, fashion. Some may pose the same question with regards to Facebook’s black-market password shopping.
We’ll reiterate what we said back in 2013 with the Adobe Breach: Facebook doesn’t have to do anything Big-Brotherish with data mining.
Chris Long, a security incident response manager at Facebook, gave this explanation at the time:
We used the plaintext passwords that had already been worked out by researchers. We took those recovered plaintext passwords and ran them through the same code that we use to check your password at login time.
In simple terms, Facebook doesn’t store users’ passwords. Rather, it passes them through one-way hashing functions and stores the result.
It can do that because passwords can be used to create hashes, but the reverse isn’t true: hashes can’t be used to recreate the passwords that made them.
When somebody logs in to Facebook, the password they hand over is passed through a one-way hashing function. If the result matches what Facebook has on record, that user is allowed in.
Facebook used the same process on passwords that researchers recovered from the Adobe data. Ditto for passwords it purchases on the black market: if a recovered password that Facebook passes through the company’s hashing function matches what the company has on record for that user, Facebook knows it’s hit on a password reuser.
But while it’s old news that Facebook (thankfully!) protects users in this manner, we didn’t know it was paying crooks to do it.
That’s a revelation, though it makes sense if you think about it: how else would Facebook get the passwords?
Still, it raises interesting ethical questions. Does good, preventative password hygiene make it right to subsidize cyber crooks?
It could be compared to paying ransomware, and that’s one thing that law enforcement has vigorously tried to talk victims out of.
In fact, in July, the Dutch National Police and Europol launched a portal called No More Ransom, aimed at helping victims to recover data without having to pay ransom to crooks who could, for all you know, just try to gouge you for more money a second time, or a third time, or… well, you get the idea.
What will those law enforcement agencies think about Facebook putting money in crooks’ pockets? What should they think, given that it’s being done to protect users from all manner of threats – including malware such as ransomware?
Please tell us what you think in the comments section below.
And if you need an alternative to reusing the same passwords on different sites, we’ve got you covered. Here’s why we think you should consider using a password manager, and below is a short, sweet video showing you how to cook up the one brawny password you’ll need to lock up that password manager.
“Facebook is reportedly cross-referencing the passwords against users’ encrypted passwords to see if they hit a match.”
That sentence should be changed as the passwords are not encrypted. They are hashed, as the article goes on to describe.
“In simple terms, Facebook doesn’t store users’ passwords. Rather, it passes them through one-way hashing functions and stores the result.”
Fair point, fixed, thanks.
I think the statement that password hash is a 1way cipher thus facebook or anyone can not recover is misleading.
Lisa didn’t make that statement. Lisa said “passwords can be used to create hashes, but the reverse isn’t true: hashes can’t be used to recreate the passwords that made them.”
If you’re suggesting that Facebook et al. *can* recover passwordsafter all, because correctly-implemented password hashing *isn’t* one-way, I suggest you read this:
https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/
Unless there is a cryptographic flaw in the hashing algorithm you use, you can only work out which passwords matches each hash by trying every possible password one-at-a-time until you get a match.
(Cryptographic hashes, unlike so-called “checksums”, are specifically designed to be one-way functions. Given X, you can compute f(X) = Y, but given Y, you can’t go backwards and compute X.)
Paul is absolutely right. The process would be to compare hashes of stolen passwords with the stored hashes of Facebook accounts. If they match, Facebook doesn’t know what the password is, they merely know that it would be a good idea for the user to change his or her password.
It’s a shame that Facebook has to support criminals to buy the stolen passwords in the process.
I suspect now that the strategy is public, there will be a bunch of crooks generating fake password files and hoping Facebook buys them.
I think that FB’s strategy isn’t that wrong. They have come out with the best possible solution they could and targeted those accounts they knew used the same passwords and locked them out. Isn’t that the most efficient solution? I think it’s brilliant!
All the work that is being put into awarness of people to change passwords doesn’t compare to this, because regular people simply don’t know what is being talked about and don’t get the facts. You can invest lots of time to aware people, but you simply can’t reach that much people on the short term, which is critical, because the safety of their data is at stake.
As for crooks and buying credentials form them… the fact is credentials were stolen and put on the internet. Crooks are getting some money from it, if they didn’t they would simply give it for free. That way you must be really interested to get the credentials and pay for them, which leaves rookies out.
Purchasing anything on a black market should be illegal. The end does not justify the means. In the most dire situations, such as kidnapping for example, law enforcement should be involved. This would ensure transparency and possible capture of the offenders.
Not that I like changing my passphrase, but an alternative could be to wait for a consumer report of compromise and then force reset. Crooks should not profit from sloppy consumer password management. I would rather see Facebook spend their money catching and prosecuting the bad guys.
I guess we don’t have any clue how many resources Facebooks puts into security and possibly chasing the bad guys. These are only assumptions, it would be good to know how much work is made in the background and we don’t know of.
They can afford to spend money financing the very people who want our credentials to attack our bank accounts…….you decide, i know who i trust, Facebook account….closed with immediate effect, thank you
Morally, it’s kinda like paying bug bounty to a black hat hacker for a bug in someone else’s software without getting the hacker to disclose the bug.
How different is this buying of stolen passwords, really, from companies, or governments, hiring hackers to hack for a living? I realize these are not exactly the same in detail, but how different are they in principle?
Then why not hack these illegitmate sites instead of patronizing them?